Financial services firms, pharmaceutical companies and other heavily regulated organizations have long devoted significant resources to a compliance office, typically with a chief compliance officer and strong support staff. Multinationals have embedded part of the compliance function locally, typically with reporting to both the central compliance office and local management. But companies not facing heavy regulation, even large ones, have struggled in deciding whether a full time compliance office is needed.

Well, now there are clear indications that a full time role is becoming more common. Compliance Week recently reported on two studies saying just that. One is from the Open Compliance and Ethics Group (OCEG), who’s survey shows 75% of the 365 respondents has a chief ethics and compliance officer or similar title with “top-level oversight of compliance.” And 40% said the compliance chief has no other role in their company, and for companies with over $1 billion in revenue, the number is 55%. Where the title is shared, it’s with the company’s legal department in 23% of the time. The other survey was conducted by the Society of Corporate Compliance & Ethics, showing that of 560 respondents, 97% have a designated compliance or ethics officer, with 36% having no other title. Of those with another role in the company, 20% share responsibilities in the legal department. As with the OCEG study, other shared roles range from the chief audit executive, CFO, and head of human resources, among others.

Also telling about the relative importance of the compliance officer role is the reporting relationships. The SCCE study, for instance, shows the chief compliance officer reporting directly to the CEO in 55% of the organizations. And the compliance officer provides reports to the board of directors or a board committee both in writing and face-to-face in 80% of the companies. And with a more senior role comes higher pay. The OCEG study shows the most common level of compensation (36%) is between $150,000 and $250,000, with 20% reporting pay at $350,000 and above, not counting bonuses, stock options or other forms of pay. As we might expect, pay in larger companies is at the higher end, with companies with more than $1 billion in revenue showing 23% with total compensation at the $450,000 level or higher.

Certainly, if you’re directly or tangentially involved with compliance, these numbers probably aren’t surprising. With the regulatory spotlight shining brightly and companies struggling to keep costs from soaring out of control and to enhance compliance program effectiveness, companies are looking to strengthen the role of their chief compliance officer.

OPUS is a unique gathering where OpenPages customers come to share experiences and learn. In its 6th year, OPUS is steeped in tradition and one of the foremost traditions is pairing local culture and flavor with social networking. OPUS 2010 continues that tradition with the announcement of the OPUS 2010 Gala to be held at the historic Boston Public Library, providing a true Boston experience with local culture, fare and history.

Home to over 1.2 million rare books and manuscripts including one of the rare Gutenberg Bibles and several first edition folios by William Shakespeare, the Boston Public Library is also known for its rich architectural history. Founded in 1848, by an act of the Great and General Court of Massachusetts, the Boston Public Library (BPL) was the first large free municipal library in the United States. The present location at Copley Square in Boston is across the street from OPUS 2010 and has been home to the Library since 1895, when architect Charles Follen McKim completed his “palace for the people.”

The OPUS 2010 Gala will begin with a cocktail reception overlooking the majestic outdoor Courtyard whose arcaded promenade is a replica of the Cancelleria Palace in Rome. Dinner will follow in the Popular Reading Room which looks out onto Copley Square and the Old South Church. The room features an ornate architectural vaulted ceiling with interlocking Guastavino terra cotta tiles and a distinct bookcase-lined mezzanine on two sides.

Desserts, music and fun will round out the evening in the beautiful Abbey Room where the famous “Quest of the Holy Grail,” murals by American artist, Edwin Austin Abbey have graced the walls since 1895. In true OPUS tradition, The Abbey Room will host the OPUS casino where you can try your hand at blackjack, roulette, and craps – not sure this is what Mr. Abbey had in mind! If you’re an OpenPages customer, we hope you will join us, it promises to be a fun evening with a little bit of culture on the side!

CapGemini hosted a conversation on enterprise risk management this morning at GARP. Panelists touched on a number of issues that need to be tackled for successful enterprise risk management:

Helga Houston from Phoenix Global Advisors pointed out that many banking institutions grew very rapidly over the last 10 years and for the most part the risk management infrastructure didn’t keep pace.

Bradley Farris of BB&T agreed with Houston and added that the “demands on the data side are incredible.”

Houston touched on another key point: risk information surfaced to the business needs to drive dialog with the business. Everyone agreed that risk management needs to engage with the business, to reinvent language so that risk managers can have fruitful conversations with the business. Her point was that without having buy in from the business it’s very hard to change processes to mitigate risks.

Panelists also focused on the importance on governance processes and infrastructure to support the dialog with the business. All agreed that the market and credit risk processes are typically well-supported and that there’s a lot of opportunity for improvement in the operational risk domain.

It’s clear that one of the themes of the conference is that risk managers have to engage the business with information and dialog that’s useful to enhancing the performance of the business vs. satisfying risk management needs alone.

This morning’s featured panel discussion at GARP includes several CROs and senior risk practitioners from Morgan Stanley, The Vanguard Group, Credit Suisse and Western Asset Management.

The first topic was VAR. VAR works in “normal markets.” There a question of what is the appropriate time window. One panelist remarked that it would be good to have better regulatory consistency on this issue: should companies be focused on a 1-year or 4-year timeframe, for instance?

VAR tends to distract you from the tails, and one panelist remarked that “you really need to stay focused on the tails” e.g. gap risk, liqudity risk, etc. The panelist continued to say that he’s really focused on the deep downside risk: how much money could the position/desk possibly lose. You have to be very dynamic in thinking about where you can be hit next.

The third panelist asserted, “I think VAR is worthless and pernicious and should banned,” noting that it’s not a coherent risk measure (99.9% VAR doesn’t handle a 1 in 200 year event). Also, the panelist pointed out that it doesn’t encourage diversification. He focused on scenario analysis but said that there is no easy answer.

Another panelist defended VAR as a tool that has its pluses and minuses.

The panelists then turned to the role of risk managers, and their role in predicting the future (in the context of the financial crisis). If risk is lack of information about the future, many companies failed to hedge when there was a very cloudy future (lack of information). One panelist noted that in many cases the risk management failure was more than just the technical capability of know what to do but actually a failure to be able to drive action.

The question of the changing regulatory landscape came up, with one panelist joking that CRO stands for Chief Regulatory Officer now. Another joked that he’s trying to stay away from the regulatory topic because they don’t know whether what they do will be “legal or illegal” under reg reform.

There was agreement that the FDIC has been very successful in carrying out their mission. But one panelist said that in the near term we don’t seem to on a path towards getting an effective systemic risk regulator. Another said that we’re creating systemic risk through regulatory uncertainty.

The noon panel at GARP discussed risk and performance management, with a diverse set of participants, including representation from Hess, Swiss Re, and Vanguard.

Kanwardeep Ahluwalia from Swiss Re noted that many companies are going through a derisking process right now. However, Ahluwalia cautioned that companies need to be cognizant of how much they are paying to reduce their risk. In many cases, especially now, it may make more sense to manage the risk internally to maximize performance.

What is the role of risk management in the budget process? Panelists suggested that during the budgetary process risk management should step up and call out inconsistencies between risk and performance goals. The moderator, Kevin Buehler from McKinsey, noted that many times he has found that companies in trouble have misaligned expectations between risk and reward. For instance, a company may have aggressive revenue goals to take share in a particular (emerging) market, but those goals may in conflict with a risk adjusted return on capital. However, he said that typically risk management does not normally win out in a conflict in which the CEO is on the other side, but you have to force the dialog.

Jonathan Stein from Hess argued that risk management needs to move beyond the Be Careful mantra and move into recommendations for risk mitigation. He talked about the importance of developing scenarios that help define triggers risk mitigation actions.

In general, the message from the panelists was that deeper interaction with the business allows risk managers to be more effective. This includes everything from designing risk management processes around the way the business makes money to prompting a dialog at the executive level when risk and performance expectations are not aligned.

OPUS 2010 keynote speaker, independent financial fraud investigator and Madoff whistleblower Harry Markopolos will release his exclusive story “No One Would Listen: A True Financial Thriller” on March 2.

The book, which will be made available to all OPUS 2010 attendees, describes how he and his team “The Fox Hounds” investigated Madoff and presented their case to the SEC on numerous occasions’ years before Madoff turned himself in on December 11, 2008 (approximately $65 billion later).

From May 2000 to December 2008, Markopolos and his team submitted five separate and detailed warnings to the Securities and Exchange Commission (SEC) about Madoff’s operations in an effort to launch an investigation on the validity of his practices.

During the OPUS keynote address, Markopolos will detail how his four person investigative team tracked Madoff and the Madoff Feeder Funds throughout Europe and North America and repeatedly submitted detailed reports to the SEC.

If you’re an OpenPages customer and would like to hear Mr. Markopolos discuss the red flags, warning signs and the critical audit steps that companies need to be aware of to prevent similar events from occurring in the future, register for OPUS 2010 and receive a complimentary copy of his new book. It’s promising to be a “Thriller”!

Accelerated filers of course have long been subject to SOX 404 (a), requiring management reporting on the effectiveness of internal control over financial reporting, as well as section (b), where auditor attestation is required. While having to incur tremendous costs, with some companies seeing little commensurate benefit, others have seen improvement in business process effectiveness, internal control beyond financial reporting, and improved compliance more broadly. Non-accelerated filers, already subject to management reporting, have gained another reprieve from the auditor attestation requirements of section (b). Great news, many are saying. They hail the opportunity to avoid incurring additional costs and taking focus away from running and growing their businesses.

Recently I came across an article in Directors & Boards by a former colleague of mine that offers a different perspective, which in my view is worth considering. His view is, in addition to the SEC losing credibility – agreeing to another deferral after making clear and definitive statements that no more would be forthcoming – that requiring and adhering to section (b) offers benefits beyond the costs, for a number of reasons. These include (1) Smaller companies traditionally have less sophisticated systems and less experienced individuals in management positions, with statistics showing greater incidences of fraud and restatement of financial results (2) The 404(b) compliance costs have come down with the advent of AS 5 and COSO’s guidance for smaller businesses (3) Studies indicate that companies that are not SOX compliant or have material weaknesses in their internal controls receive a lower valuation, whereas those that are compliant receive higher multiples when sold (4) These companies are less likely to take advantage of IT solutions that provide enhanced efficiently and management capabilities well beyond better controlled financial reporting, and (5) CEOs and CFOs who already must certify to the effectiveness of financial reporting controls are on the hook by themselves, failing to receive the comfort provided by auditor attestation.

Certainly, these arguments are worth considering by senior managements and boards of companies still waiting to see whether and when the 404 (b) requirement ultimately will become effective.

If you’re involved in developing, enhancing or monitoring your company’s risk management activities, you probably know that “risk” and associated terms are used very differently by different people. This too often is the case throughout an organization, right up to the board level. Indeed, experience shows that senior managements and boards think they’re talking the same language, when they are not.

How often have you heard the terms “risk assessment,” “risk management,” and “enterprise risk management” used almost interchangeably? If your experience is anything like mine, it happens all the time. My sense is that busy executives and directors understand the basic concept of risk and don’t take the time to get into what are perceived to be details in terminology. The resulting problem, however, is that we talk at cross purposes and misunderstandings abound. Risk related professionals know well that a risk assessment is a point-in-time snapshot of risks in an organization, risk management includes a number of activities in identifying, analyzing and managing risk, and enterprise risk management raises the bar to a still higher level.

A fundamental issue is that too often top managements and boards believe their organizations have in place effective enterprise risk management processes when in fact they don’t. They know the words, and truly believe they deal with risk as well as any organization. They believe their senior management team focuses on risk and drives risk management throughout the organization. And what we’ve often found is that they are wrong.

It is not a simple task to change the minds of high powered CEOs and directors. And one wonders whether it’s worth one’s political capital to push this issue. But this is so important a matter that to know there’s misunderstanding and allow it to continue is dangerous – for top management, the board, the company, and all of its people.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.